Windows Server 2008 Active Directory, Configuring
Question No: 121 – (Topic 2)
ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process of restoring the OU.
You need to execute a non-authoritative restore before an authoritative restore of the OU.
Which backup should you use to perform non- authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data stored on domain controller?
Critical volume backup
Backup of all the volumes
Backup of the volume that hosts Operating system
Backup of AD DS folders
all of the above
Answer: A Explanation:
http://technet.microsoft.com/en-us/library/cc730683(v=ws.10).aspx Performing a Nonauthoritative Restore of AD DS
To perform a nonauthoritative restore of Active Directory Domain Services (AD DS), you need at least a system state backup.
To restore a system state backup, use the wbadmin start systemstaterecovery command. The procedure in this topic uses the wbadmin start systemstaterecovery command.
You can also use a critical-volume backup to perform a nonauthoritative restore, or a full server backup if you do not have a system state or critical-volume backup. A full server backup is generally larger than a critical-volume backup or system state backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS. To restore a critical-volume backup or full server backup, use the wbadmin start recovery command.
Question No: 122 – (Topic 2)
You have a DNS zone that is stored in a custom application directory partition. You install a new domain controller.
You need to ensure that the custom application directory partition replicates to the new domain controller.
What should you use?
the Active Directory Administrative Center console
the Active Directory Sites and Services console
the DNS Manager console
the Dnscmd tool
dnscmd /enlistdirectorypartition Adds the DNS server to the specified directory partition#39;s replica set.
Question No: 123 – (Topic 2)
Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.
The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You uninstall the DNS server role from RODC1.
You need to prevent DNS records from replicating to RODC1. What should you do?
Modify the replication scope for the contoso.com zone.
Flush the DNS cache and enable cache locking on RODC1.
Configure conditional forwarding for the contoso.com zone.
Modify the zone transfer settings for the contoso.com zone.
Answer: A Explanation:
http://technet.microsoft.com/en-us/library/cc754916.aspx Change the Zone Replication Scope
You can use the following procedure to change the replication scope for a zone. Only Active Directory Domain Services (AD DS)-integrated primary and stub forward lookup zones can change their replication scope.
Understanding DNS Zone Replication in Active Directory Domain Services
You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active
Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes.
The following table describes the available zone replication scopes for AD DS-integrated DNS zone data.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When you decide which replication scope to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if you decide to have AD DS-integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single AD DS domain in that forest.
AD DS-integrated DNS zone data that is stored in an application directory partition is not replicated to the global catalog for the forest. The domain controller that contains the global catalog can also host application directory partitions, but it will not replicate this data to its global catalog.
AD DS-integrated DNS zone data that is stored in a domain partition is replicated to all domain controllers in its AD DS domain, and a portion of this data is stored in the global catalog. This setting is used to support Windows 2000.
If an application directory partition#39;s replication scope replicates across AD DS sites,
replication will occur with the same intersite replication schedule as is used for domain partition data.
By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for the application directory partitions that are hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for the domain partition that is hosted on a domain controller.
Question No: 124 – (Topic 2)
Your network contains a domain controller that has two network connections named Internal and Private.
Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP address.
What should you do?
Modify the netlogon.dns file on the domain controller.
Modify the Name Server settings of the DNS zone for the domain.
Modify the properties of the Private network connection on the domain controller.
Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.
Answer: C Explanation:
Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed Domain Controller Symptoms On Domain Controllers with more than one NIC where each NIC is connected to separate Network, there is a possibility that the Host A DNS registration can occur for unwanted NIC(s).
If the client queries for DC’s DNS records and gets an unwanted record or the record of a different network which is not reachable to client, the client will fail to contact the DC causing authentication and many other issues.
The DNS server will respond to the query in a round robin fashion. If the DC has multiple NICs registered in DNS. The DNS will serve the client with all the records available for that
To prevent this, we need to make sure the unwanted NIC address is not registered in DNS. Below are the services that are responsible for Host A record registration on a DC
DNS server service (if the DC is running DNS server service)
DHCP client /DNS client (2003/2008)
If the NIC card is configured to register the connection address in DNS, then the DHCP
/DNS client service will
Register the record in DNS. Unwanted NIC should be configured not to register the connection address in DNS
If the DC is running DNS server service, then the DNS service will register the interface Host A record that it has set to listen on. The Zone properties, “Name server” tab list out the IP addresses of interfaces present on the DC. If it has listed both the IPs, then DNS server will register Host A record for both the IP addresses.
We need to make sure only the required interface listens for DNS and the zone properties, name server tab has required IP address information
Resolution To avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid the issue).
Under Network Connections Properties: On the Unwanted NIC TCP/IP Properties -gt; Advanced -gt; DNS –
gt; Uncheck quot;Register this connections Address in DNSquot;
Open the DNS server console: highlight the server on the left pane Action-gt; Properties and on the quot;Interfacesquot; tab select quot;listen on only the following IP addressesquot;. Remove unwanted IP address from the list
On the Zone properties, select Name server tab. Along with FQDN of the DC, you will see the IP address associated with the DC. Remove unwanted IP address if it is listed. After performing this delete the existing unwanted Host A record of the DC.
Question No: 125 – (Topic 2)
You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. It has an Active Directory domain.
You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO).
You need to change the domain security settings to trace the shutdowns and identify the cause of it.
What should you do to perform this task?
Link the GPO to the domain and enable System Events option
Link the GPO to the domain and enable Audit Object Access option
Link the GPO to the Domain Controllers and enable Audit Object Access option
Link the GPO to the Domain Controllers and enable Audit Process tracking option
Perform all of the above actions
Answer: A Explanation:
http://msdn.microsoft.com/en-us/library/ms813610.aspx Audit system events
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy Description Determines whether to audit when a user restarts or shuts down the computer; or an event has occurred that affects either the system security or the security log.
By default, this value is set to No auditing in the Default Domain Controller Group Policy object (GPO) and in the local policies of workstations and servers.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not to audit the event type at all. Success audits generate an audit entry when a system event is successfully executed. Failure audits generate an audit entry when a system event is unsuccessfully attempted. You can select No auditing by defining the policy setting and unchecking Success and Failure.
Question No: 126 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 hosts a standard primary zone for contoso.com.
You discover that non-domain member computers register records in the contoso.com zone.
You need to prevent the non-domain member computers from registering records in the contoso.com zone.
All domain member computers must be allowed to register records in the contoso.com
What should you do first?
Configure a trust anchor.
Run the Security Configuration Wizard (SCW).
Change the contoso.com zone to an Active Directory-integrated zone.
Modify the security settings of the %SystemRoot%\System32\Dns folder.
Answer: C Explanation:
http://technet.microsoft.com/en-us/library/cc772746(v=ws.10).aspx Active Directory-Integrated Zones
DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication. This simplifies the process of deploying DNS and provides the following advantages:
Multiple masters are created for DNS replication. Therefore:
Any domain controller in the domain running the DNS server service can write updates to the Active Directory-integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed.
Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers update which names, and prevent unauthorized computers from overwriting existing names in DNS
Question No: 127 – (Topic 2)
Company has an active directory forest on a single domain.
Company needs a distributed application that employs a custom application. The application is directory partition software named PARDAT.
You need to implement this application for data replication.
Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete solution)
All of the above
Answer: A,B Explanation:
How to create and apply a custom application directory partition on an Active Directory integrated DNS zone in
Windows Server 2003
You can create a custom Active Directory partition by using the DnsCmd command.
If the new naming context that you created does not appear in the Repadmin output, you can verify the state of this naming context by using the Ntdsutil command.
Question No: 128 HOTSPOT – (Topic 2)
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers.
The domain controllers are configured as shown in the following table.
You need to enable universal group membership caching in the Seattle site. Which object#39;s properties should you modify?
To answer, select the appropriate object in the answer area.
Question No: 129 – (Topic 2)
Your network contains two Active Directory forests named contoso.com and adatum.com. The functional level of both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates.
You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA).
What should you configure in the adatum.com domain?
From the Default Domain Controllers Policy, modify the Enterprise Trust settings.
From the Default Domain Controllers Policy, modify the Trusted Publishers settings.
From the Default Domain Policy, modify the Certificate Enrollment policy.
From the Default Domain Policy, modify the Trusted Root Certification Authority settings.
Answer: C Explanation:
http://technet.microsoft.com/en-us/library/dd851772.aspx Manage Certificate Enrollment Policy by Using Group Policy
Configuring certificate enrollment policy settings by using Group Policy
Question No: 130 – (Topic 2)
You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.
Users are required to log on to the domain by using a smart card.
Your company#39;s corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked.
An employee resigns.
You need to immediately prevent the employee from logging on to the domain. What should you do?
Revoke the employee#39;s smart card certificate.
Disable the employee#39;s Active Directory account.
Publish a new delta certificate revocation list (CRL).
Reset the password for the employee#39;s Active Directory account.
Delete or disable an Active Directory account? One best practice.
I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn#39;t give the clearest direction on this but common sense does.
The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away.
And then the reason for MSFT#39;s lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|